Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Secure Remote + NAT + IP Pool NAT

To: [email protected]
Subject: Re: [FW1] Secure Remote + NAT + IP Pool NAT
From: Paul Keefer <[email protected]>
Date: Tue, 27 Feb 2001 09:55:22 -0600
Cc: Firewall-1 Mailinglist <[email protected]>
Organization: AMI-300B/NISC
References: <[email protected]> <[email protected]>
Sender: [email protected]

Thanks for the input, but I honestly have no idea what you
are trying to say.

I can't get IP Pool NAT working with Secure Remote when
Secure Remote client is being NATed on the far end (ISP
end). The destination server still sees the Secure Remote
client's original IP address, rather than the pool that I
selected on the firewall. If the Secure Remote client is not
having NAT performed on it, things work as they should, and
the destination server sees an address from the pool I
selected rather than the clients original address.

Does anyone have any information on this?

CryptoTech wrote:
> 
> That is correct.  Since the true negotiation is with the internal ip address, that
> is what the internal devices will see.
> 
> <UDP header<ESP Header<Original Packet>>>
> 
> VPN-1 strips the udp header, then processes the esp packet, leaving the original
> packet from the client, including his ip address.
> 
> I have not had any problems with this config with or without Pools.  Both have
> worked fine for me.
> 
> I have done this on an NT server.
> 
> CryptoTech
> 
> Paul Keefer wrote:
> 
> > Does anyone have any experience with getting Secure Remote
> > behind a NAT gateway working with a Checkpoint firewall that
> > is doing IP Pool NAT?  With no NAT on the client side,
> > everything works great.  With NAT on the client side, the
> > address send to the end destination from the firewall comes
> > out as the original IP address of the Secure Remote client.
> > I'm using hybrid mode IKE with all the bells and whistles,
> > and the modifications to make secure remote work with
> > NAT...  Here is a picture:
> >
> > OS is solaris 2.6, checkpoint version 4.1 SP3.
> >
> > Secure Remote Client (latest one):
> > 10.10.10.2
> > NAT'ed to:
> > 50.50.50.2
> >
> > Firewall at:
> > 40.40.40.1
> > pool address is:
> > 20.20.20.0/24
> >
> > Server A is:
> > 30.30.30.1
> >
> > The way I understand things, the Secure Remote client should
> > appear to Server A as 20.20.20.x. What I see when doing a
> > packet sniff is 10.10.10.2, which is wierd (it still works,
> > but I don't want Server A to see the client's real
> > address).  If the client is not NAT'ed, I see 20.20.20.x
> > come from the firewall destined for Server A as I would
> > expect, and it works.
> >
> > --

-- 
Paul Keefer		AMI-300B/NISC
LAN/WAN Administrator================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- Re: [FW1] Secure Remote + NAT + IP Pool NAT
  - From: CryptoTech <[email protected]>

References:
- [FW1] Secure Remote + NAT + IP Pool NAT
  - From: Paul Keefer <[email protected]>
- Re: [FW1] Secure Remote + NAT + IP Pool NAT
  - From: CryptoTech <[email protected]>

Prev by Date: [FW1] Nokia VRRP and Checkpoint HA
Next by Date: [FW1] Problem installing sp3 of Firewall one on Solaris 2.7
Previous by thread: Re: [FW1] Secure Remote + NAT + IP Pool NAT
Next by thread: Re: [FW1] Secure Remote + NAT + IP Pool NAT
Index(es):
- Date
- Thread